New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add rsa key import methods to handle pem and der encoding directly #252
Conversation
examples/keygen/keyimport.c
Outdated
@@ -33,16 +33,47 @@ | |||
|
|||
#ifndef WOLFTPM2_NO_WRAPPER | |||
|
|||
static const char* kRsaKeyPrivPem = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a comment about where this RSA private key came from. Like ./certs/server-key.pem
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I moved it to a file instead, I was just copying the way the der key was included raw
examples/keygen/keyimport.c
Outdated
@@ -55,6 +86,8 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[]) | |||
TPM_ALG_ID paramEncAlg = TPM_ALG_NULL; | |||
WOLFTPM2_SESSION tpmSession; | |||
const char* outputFile = "keyblob.bin"; | |||
uint8_t derEncode = 0; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like stdint.h types, but please use byte
. Thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so is it only wolfBoot that uses uint types?
examples/keygen/keyimport.c
Outdated
} | ||
else if (pemEncode == 1) { | ||
rc = wolfTPM2_RsaPrivateKeyImportPem(&dev, &storage, &impKey, | ||
kRsaKeyPrivPem, strlen(kRsaKeyPrivPem), NULL, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use (word32)XSTRLEN(kRsaKeyPrivPem)
.
src/tpm2_wrap.c
Outdated
word32 pSz = sizeof(p); | ||
word32 qSz = sizeof(q); | ||
|
||
if (dev && parentKey && keyBlob && input && inSz != 0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Confusing logic. Would prefer init rc = 0
and set rc = BAD_FUNC_ARG;
on failure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
saw it in some wolfssl function and thought it was concise, if it's not preferred I'll change it
src/tpm2_wrap.c
Outdated
byte d[RSA_MAX_SIZE / 8]; | ||
byte p[RSA_MAX_SIZE / 8]; | ||
byte q[RSA_MAX_SIZE / 8]; | ||
word32 eSz = sizeof(e); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Must cast these: word32 eSz = (word32)sizeof(e);
src/tpm2_wrap.c
Outdated
/* der size is base 64 decode length */ | ||
derSz = inSz * 3 / 4 + 1; | ||
|
||
derBuf = XMALLOC(derSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
derBuf = (byte*)XMALLOC
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I need to remember that, you've corrected me on it before but I keep doing it
src/tpm2_wrap.c
Outdated
if (rc == 0) | ||
rc = wc_KeyPemToDer((byte*)input, inSz, derBuf, derSz, pass); | ||
|
||
/* returns the number of bytes*/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: space between bytes*/
src/tpm2_wrap.c
Outdated
rc = wc_KeyPemToDer((byte*)input, inSz, derBuf, derSz, pass); | ||
|
||
/* returns the number of bytes*/ | ||
if (rc > 0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about rc == 0 case?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you have a der key with 0 byte length?I thought that would return bad arg error, I looked at the underlying function PemToDer
and if it doesn't find an asn header it returns ASN_NO_PEM_HEADER
which is less than 0
examples/keygen/keyimport.c
Outdated
@@ -77,6 +110,15 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[]) | |||
else if (XSTRCMP(argv[argc-1], "-xor") == 0) { | |||
paramEncAlg = TPM_ALG_XOR; | |||
} | |||
else if (XSTRCMP(argv[argc-1], "-pem") == 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-pem
is in here twice. Looks like copy/paste issue. This one should be deleted.
examples/keygen/keyimport.c
Outdated
byte derEncode = 0; | ||
byte pemEncode = 0; | ||
FILE* pemFile = NULL; | ||
char pemBuf[2048]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just use WOLFTPM2_MAX_BUFFER
examples/keygen/keyimport.c
Outdated
rc = wolfTPM2_RsaPrivateKeyImportPem(&dev, &storage, &impKey, | ||
kRsaKeyPrivPem, strlen(kRsaKeyPrivPem), NULL, | ||
TPM_ALG_NULL, TPM_ALG_NULL); | ||
pemFile = fopen("./certs/example-rsa-key.pem", "r"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use XFOPEN
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add support to take the key filename as argument. Default to this example.
examples/keygen/keyimport.c
Outdated
TPM_ALG_NULL, TPM_ALG_NULL); | ||
pemFile = fopen("./certs/example-rsa-key.pem", "r"); | ||
|
||
rc = fread(pemBuf, 1, 2048, pemFile); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use XFREAD
and use sizeof(pemBuf)
examples/keygen/keyimport.c
Outdated
pemBuf, rc, NULL, TPM_ALG_NULL, TPM_ALG_NULL); | ||
} | ||
|
||
fclose(pemFile); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
XFCLOSE
src/tpm2_wrap.c
Outdated
if (derBuf == NULL) | ||
return MEMORY_E; | ||
|
||
if (rc == 0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This rc == 0
is not needed. Remove please
certs/include.am
Outdated
@@ -7,4 +7,5 @@ EXTRA_DIST += \ | |||
certs/ca-rsa.cnf \ | |||
certs/ca-ecc.cnf \ | |||
certs/wolf-ca-ecc-cert.pem \ | |||
certs/wolf-ca-rsa-cert.pem | |||
certs/wolf-ca-rsa-cert.pem \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: Indentation is off here.
examples/keygen/keyimport.c
Outdated
printf("* -ecc: Use RSA or ECC for keys\n"); | ||
printf("* -aes/xor: Use Parameter Encryption\n"); | ||
printf("* -pem/der: Key encoding type, none for binary\n"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NIT: I'd prefer -pem=
support where the =name
is optional.
examples/keygen/keyimport.c
Outdated
byte pemEncode = 0; | ||
FILE* pemFile = NULL; | ||
char pemBuf[WOLFTPM2_MAX_BUFFER]; | ||
char pemName[WOLFTPM2_MAX_BUFFER]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is too long for filename and it should just be a char*
with default that can be changed.
const char* pemName = "./certs/example-rsa-key.pem";
/* then later just set this to the argv */
pemName = (const char*)argv[i + 1];`
examples/keygen/keyimport.c
Outdated
printf("Failed to read pem file %s\n", pemName); | ||
|
||
if (rc == 0) | ||
rc = XFREAD(pemBuf, 1, sizeof(pemBuf), pemFile); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add explicit cast to int
:
examples/keygen/keyimport.c:167:22: error: implicit conversion loses integer precision: 'unsigned long' to 'int' [-Werror,-Wshorten-64-to-32]
rc = XFREAD(pemBuf, 1, sizeof(pemBuf), pemFile);
~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how do I test this, I need to set CC to clang?
examples/keygen/keyimport.c
Outdated
printf("Warning: No pem file specified, using default: %s\n", pemName); | ||
} | ||
else { | ||
XMEMCPY(pemName, argv[i + 1], XSTRLEN(argv[i + 1]) + 1); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please print the name of the file used in the console output.
src/tpm2_wrap.c
Outdated
derSz = inSz * 3 / 4 + 1; | ||
|
||
derBuf = (byte*)XMALLOC(derSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove the extra line here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very close! Looks great, just a couple comments.
src/tpm2_wrap.c
Outdated
word32 pSz = (word32)sizeof(p); | ||
word32 qSz = (word32)sizeof(q); | ||
|
||
wc_InitRsaKey(key, NULL); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please check the return code here. Only call free if rc == 0
.
ZD 14996